CVE-2017-1000111

Linux kernel: heap out-of-bounds in AF_PACKET sockets. This new issue isanalogous to previously disclosed CVE-2016-8655. In both cases, a socketoption that changes socket state may race with safety checks inpacket_set_ring. Previously with PACKET_VERSION. This time withPACKET_RESERVE. The solution is similar: lock the socket for the update.This issue may be exploitable, we did not investigate further. As thisissue affects PF_PACKET sockets, it requires CAP_NET_RAW in the processnamespace. But note that with user namespaces enabled, any process cancreate a namespace in which it has CAP_NET_RAW.

Ubuntu-Description

Andrey Konovalov discovered a race condition in AF_PACKET socket optionhandling code in the Linux kernel. A local unprivileged attacker could usethis to cause a denial of service or possibly execute arbitrary code.

sbeattie> fix subject "net-packet: fix race in packet_set_ring on PACKET_RESERVE" smb> While working on the embargoed CVE we decided that Precise cannot be smb> exploited due to the missing user namespace support.